Deploy Portworx using Azure managed identity on new AKS cluster


Perform the following steps to enable Azure managed identity on new AKS cluster:

  1. Login to the Azure and set the subscription:

    az login
    az account set –subscription <Your-Azure-Subscription-UUID>
  2. Check locations to create AKS cluster:

    az account list-locations
  3. Create an Azure Resource Group:

    az group create –name <resource-group-name> –location <location>
  4. Create an AKS cluster with managed identities:

    az aks create -g myResourceGroup -n myManagedCluster --enable-managed-identity
  5. Identify object and client IDs:

    az aks show -g myResourceGroup -n myManagedCluster --query identityProfile

    Example:

    az aks show -g cass-rg -n msi-test --query identityProfile
    {
      "kubeletidentity": {
        "clientId": "68c2bc67-f3a5-459d-9b57-14597efcbc70",
        "objectId": "c099f8ac-ba91-4c13-9456-3e5614296a35",
        "resourceId": "/subscriptions/72c299a4-a431-4b8e-80ef-6855109979d9/resourcegroups/MC_cass-rg_msi-test_eastus/providers/Microsoft.ManagedIdentity/userAssignedIdentities/msi-test-agentpool"
      }
    }
  6. Assign contributor role to managed identity:

     az aks show -g cass-rg -n msi-test --query nodeResourceGroup
     az role assignment create --assignee-object-id ObjectId --role "Contributor" --resource-group nodeResourceGroup

    Example:

    az aks show -g myResourceGroup -n myManagedCluster --query nodeResourceGroup
    "MC_cass-rg_msi-test_eastus"
    az role assignment create --assignee-object-id "c099f8ac-ba91-4c13-9456-3e5614296a35" --role "Contributor" --resource-group "MC_cass-rg_msi-test_eastus"
    {
      "canDelegate": null,
      "condition": null,
      "conditionVersion": null,
      "description": null,
      "id": "/subscriptions/72c299a4-a431-4b8e-80ef-6855109979d9/resourceGroups/MC_cass-rg_msi-test_eastus/providers/Microsoft.Authorization/roleAssignments/d0060dc6-4e9f-452c-8e43-1a661ecf0111",
      "name": "d0060dc6-4e9f-452c-8e43-1a661ecf0111",
      "principalId": "c099f8ac-ba91-4c13-9456-3e5614296a35",
      "principalType": "ServicePrincipal",
      "resourceGroup": "MC_cass-rg_msi-test_eastus",
      "roleDefinitionId": "/subscriptions/72c299a4-a431-4b8e-80ef-6855109979d9/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c",
      "scope": "/subscriptions/72c299a4-a431-4b8e-80ef-6855109979d9/resourceGroups/MC_cass-rg_msi-test_eastus",
      "type": "Microsoft.Authorization/roleAssignments"
    } 
  7. Create Kubernetes secret based on Client ID shown above:

    kubectl create secret generic -n kube-system px-azure --from-literal=AZURE_CLIENT_ID

    Example:

    kubectl create secret generic -n kube-system px-azure --from-literal="68c2bc67-f3a5-459d-9b57-14597efcbc70”
  8. Pass Kubernetes Azure secret to Portworx environment variables:

    env:
    name: AZURE_CLIENT_ID
                  valueFrom:
                    secretKeyRef:
                      name: px-azure
                      key: AZURE_CLIENT_ID

Last edited: Wednesday, Oct 27, 2021